Good morning all,

I am new to the forum so if I am in the wrong place here, please let me know. I am fairly new to Fortigate's as appliances, and I have a client that needs some work done. They have a primary and Secondary WAN configured and as far as the WAN goes, failover is setup properly. Unfortunately, their S2S VPN's and Client VPN are not.

Here is an overview of the current config:

-Currently have 2 ISP's in Failover mode for WAN (WAN's are not currently in a Zone)

-2 existing Site to Site VPN tunnels (Policies and routes in place)

-SSL Client VPN

I would like to setup as much redundancy as possible, so here is what I'm thinking:

CLIENT VPN FAILOVER:

-Setup Zone for WAN1 and WAN2

-Allow zone to listen and accept SSL VPN traffic

-Adjust SSL VPN config to use the Zone interface 

-Setup DDNS

-Point Client VPN configuration on endpoints to DDNS address

That part is simple enough

Site to Site VPN failover:

Here is where I'm looking for confirmation..

I think what I would do is use the newly created zone and update the current VPN tunnels with the Zone as the interface.

Then, update all of my policies and routes to use the Zone as their interface, instead of the current WAN1..correct? Obviously, I would work with the vendors on the other end of the tunnel to update their end to point to the secondary WAN as well. 

Am I over simplifying this? The part that has me concerned is that I believe I will need to break all references to the WAN's before putting them in a zone, which would basically mean reconfiguring from scratch..am I correct there?

Any and all guidance would be greatly appreciated!